Posted
by
Soulskillon Wednesday November 30, 2011 @06:15AM
from the hand-in-cookie-jar dept.

Token_Internet_Girl writes with a followup to last week's news about Android developer Trevor Eckhart, who was researching software from CarrierIQ, installed on millions of cellphones, that secretly logged a variety of user information — from button presses to text message contents to browsing data. CarrierIQ tried to silence Eckhart, but later backtracked. Now, Eckhart has posted a video demonstration of CarrierIQ's logging software. From the article:
"The company denies its software logs keystrokes. Eckhart’s 17-minute video clearly undercuts that claim. ... The video shows the software logging Eckhart's online search of 'hello world.' That's despite Eckhart using the HTTPS version of Google, which is supposed to hide searches from those who would want to spy by intercepting the traffic between a user and Google. ...the video shows the software logging each number as Eckhart fingers the dialer. 'Every button you press in the dialer before you call,' he says on the video, 'it already gets sent off to the IQ application.'"

After selecting what permissions the app can have, you need to reboot to take it affect.And the other great application is Droidwall what is firewall (needs root as well) where you choose per application does it have access to WLAN or 3G internet connection. Great to limit some apps only to use WLAN instead 3G or vice versa.

If you need root for these things, you may as well just grab a custom ROM to go along with it which has CIQ removed (well, most devs remove it anyway). I know my Sensation third-party ROM (ARHD 4.1.x) doesn't have CIQ anywhere in it, I've checked.
After all, flashing a ROM after rooting is a really small step in terms of difficulty and then you're totally free of CIQ.

There are a few methods, that I am aware of, that might, although the legality of such methods I am unsure of, still allow for cell phone use while preventing this sort of spying from occurring.

One method, is to get a GNU Radio ( http://gnuradio.org/redmine/projects/gnuradio/wiki [gnuradio.org] ) device and operate it as a cellphone carrier firewall. This would accept connections from your cell phone, log and allow you to filter what is being sent, and then communicate with your carrier.

The other method, would be to use a cellphone data device / mobile hotspot, and then operate your cell phone using encrypted VOIP to an Asterisk server in your home / office.

If there are other methods, by all means let everyone know about them.

Some other folks were speculating that since you signed an agreement with your carrier that it somehow makes this legal. This is absolutely false. There are certain rights that you can sign away, certainly, but don't think of it like that. Think of it like, "What is Verizon doing with this data and how are they transporting it?"

Here's a few laws and industry regulations they are violating (by recording all keystrokes) off the top of my head:

1) The Payment Card Industry Data Security Standard (PCI DSS): If anyone ever (ever) enters credit card information into their phone (via an app, web page, whatever) that data must be protected according to the DSS (because all the carriers accept credit cards, that is). That means it must be encrypted in transit, when it is stored, and more importantly: certain information must *NOT* be stored (again, ever). For example, if a user enters the CVV2 from their card into an online form the carrier must ensure that this data does not get stored (good luck with THAT regex! hah!).

2) Graham Leach Bliley Act (GLBA). Undoubtedly, personally identifiable financial information is being recorded, transported, and stored without the user's knowledge or consent (each transaction/event would need its own notice and agreement with the carrier). That could add up to literally MILLIONS of violations.

3) Sarbanes Oxley: If they're recording this data they had better damned well keep an audit trail on it and be regularly disclosing that they're doing so to all their investors. They also must have documented controls & procedures and (likely) perform regular audits to ensure that said controls & procedures are being properly followed.

4) They can be held liable for having knowledge of crimes but not reporting them.

5) They can lose their common carrier status: Since they're now recording literally everything users do online they can be held (partially) accountable for what those users do. If you recorded the data you certainly could've audited it for fraudulent activity. "Have you been the victim of a crime that took place over a cell phone? Call the law offices of Sue & Win."

6) There's probably a dozen laws that say you can't intercept and/or store information related to people's banking accounts and financial transactions (unless you're the bank that the customer is interacting with). These laws are the ones that should make the carriers quiver in their boots. Some of these were written specifically to deal with gangsters and organized crime and as such could land executives in prison (not that I think the U.S. Attourney General would prosecute since our government is sadly, "stupidly hard on individual crime but soft on corporate crime").

7) Unless their contract specifically spells out that they're going to record every keystroke you enter into your phone they've opened themselves up to millions of lawsuits. If anyone ever wins one of these it will be game over for the carriers. "verizon" and "at&t" will likely become some of those "$50-per-click" Adwords on Google.

8) If they're not using proper encryption of this data in transit and storage, the PCI DSS will be the least of their problems... That's criminal negligence right there. After hearing all the controls the Payment Card Industry requires of the carriers for something as simple as a credit card number what jury could be convinced of a defense such as, "We didn't know!"?!? I mean, seriously. Forget being fired. If someone knowingly decided it was a good idea to record all keystrokes they should go to prison. It is the penultimate example of why you don't put non-technical people in charge of making technical decisions.

1) Apple gathers "crowd-sourced Wi-Fi hotspot and cell tower data". To do this, your iPhone sends your location along with your Wi-Fi hotspot and cell tower data (SSIDs, signal strength) to Apple. They do say that the request is anonymised so they have no way of figuring out who you are based on the request, but clearly they could just correlate the geo-tagged request with non-geo requests coming from your phone and figure out who you are.

2) Apple has an advertising system (iAds) that uses your location to send you targetted ads. Obviously this involves Apple knowing what your location is.

3) Apple provides application crash logs to third party developers. They say the logs are anonymous, but an app developer could easily include enough information to identify you (a username, IP address etc.).

4) Apple tracks you when you travel. They say it is anonymous, but again they could clearly figure out who you if they wanted to. ("Apple is now collecting anonymous traffic data to build a crowd-sourced traffic database.")

Apple's profit motive is not in the collecting of user information like Google's is, it's in the selling of devices.

iAds: [apple.com] "The iAd mobile advertising network is a significant revenue stream for developers and a powerful way for brands to reach millions of iOS users." This is different to Google how?

I should add, that the moment I heard that Google was releasing a smartphone OS aka Android, my first thought was "Nice. Now google can spy on everyone when they are away from their computer and follow their movements in the physical world."

It should be noted that CarrierIQ is not Google and is not related to Google. This is a third party which makes a rootkit/spyware app that carriers have installed on handsets that they sell (it is not part of a vanilla Android install).